Hi, Björn Höfling <bjoern.hoefl...@bjoernhoefling.de> writes:
> On Sun, 4 Nov 2018 09:52:44 +0000 > Gnu Röoty <walidsl...@gmail.com> wrote: > >> HI from 2 days I build the installation of guixSD to >> berlin.guixsd.org and nss-3.36.6 cant build. > > This was also reported on guix-help by Brian Woodcox. > > Here is some analysis I reported to that thread: > > This package does not build reproducibly. At least in the long term: > There are tests that check certificates on temporal validity and that > depends on the system time. > > I can reproduce your result with the 3.39 version. It looks like one > certificate is expired. All 6 failing tests look about like this one: > > > s -d AllDB -pp - PASSED > chains.sh: Verifying certificate(s) PayPalEE.cert with flags -d AllDB -pp > > -o OID.2.16.840.1.114412.1.1 > vfychain -d AllDB -pp -vv -o OID.2.16.840.1.114412.1.1 > /tmp/guix-build-nss > -3.39.drv-0/nss-3.39/nss/tests/libpkix/certs/PayPalEE.cert > Chain is bad! > PROBLEM WITH THE CERT CHAIN: > CERT 0. PayPalEE : > ERROR -8181: Peer's Certificate has expired. > Returned value is 1, expected result is pass > chains.sh: #1555: RealCerts: Verifying certificate(s) PayPalEE.cert > with flags -d AllDB -pp -o OID.2.16.840.1.114412.1.1 - FAILED > > > I don't know how to check the expiration date of PayPalEE.cert. > > It looks like upstream has not yet worked on it, as the file was lastly > modified two years ago: > > https://hg.mozilla.org/projects/nss/log/tip/tests/libpkix/certs/PayPalEE.cert > > Cmp also this bug that demands non-expiration certificates: > > https://bugzilla.mozilla.org/show_bug.cgi?id=1330010 > > Building 3.40 does not work with just updating version/hashsum. > > A quick solution would be to build nss from a Guix git-checkout and > disable tests. But it has many dependencies, so you more or less rebuild the > world. > > > Björn Since at least Thu Apr 4 15:14:57 2019 +0200, the test dealing with the problematic PayPalEE.cert certificate is now done after faking the time to a date around the release date with the 'faketime' utility. As nss builds fine currently, I'm marking this bug as done. Thanks for the report! Maxim
